Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
No setup needed. Let our cloud agents run this skill for you.
Select Provider
Select Model
Claude Sonnet 4.5
$0.20/task
Best for coding tasks
No setup required
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
Red Team Tools and Methodology
Purpose
Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
Inputs/Prerequisites
Target scope definition (domains, IP ranges, applications)
Linux-based attack machine (Kali, Ubuntu)
Bug bounty program rules and scope
Tool dependencies installed (Go, Python, Ruby)
API keys for various services (Shodan, Censys, etc.)
Outputs/Deliverables
Comprehensive subdomain enumeration
Live host discovery and technology fingerprinting
Identified vulnerabilities and attack vectors
Automated recon pipeline outputs
Documented findings for reporting
Core Workflow
1. Project Tracking and Acquisitions
Set up reconnaissance tracking:
# Create project structuremkdir -p target/{recon,vulns,reports}cd target# Find acquisitions using Crunchbase# Search manually for subsidiary companies# Get ASN for targetsamass intel -org "Target Company" -src# Alternative ASN lookupcurl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"
# Check which hosts are live with httprobecat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt# Use httpx for more detailscat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt# Alternative with massdnsmassdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
# Directory bruteforce with ffufffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt# Historical URLs from Waybackwaybackurls target.com | tee wayback.txt# Find all URLs with gaugau target.com | tee all_urls.txt# Parameter discoverycat all_urls.txt | grep "=" | sort
6. Application Analysis (Jason Haddix Method)
Heat Map Priority Areas:
File Uploads - Test for injection, XXE, SSRF, shell upload
Content Types - Filter Burp for multipart forms
APIs - Look for hidden methods, lack of auth
Profile Sections - Stored XSS, custom fields
Integrations - SSRF through third parties
Error Pages - Exotic injection points
Analysis Questions:
How does the app pass data? (Params, API, Hybrid)
Where does the app talk about users? (UID, UUID endpoints)
Does the site have multi-tenancy or user levels?
Does it have a unique threat model?
How does the site handle XSS/CSRF?
Has the site had past writeups/exploits?
7. Automated XSS Hunting
# ParamSpider for parameter extractionpython3 paramspider.py --domain target.com -o params.txt# Filter with Gxsscat params.txt | Gxss -p test# Dalfox for XSS testingcat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt# Alternative workflowwaybackurls target.com | grep
8. Vulnerability Scanning
# Nuclei comprehensive scannuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt# Check for common CVEsnuclei -l hosts.txt -t cves/ -o cve_results.txt# Web vulnerabilitiesnuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt
9. API Enumeration
Wordlists for API fuzzing:
# Enumerate API endpointsffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt# Test API versionsffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txtffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt# Check for hidden methodsfor method in GET POST PUT DELETE PATCH; do curl
Claude Sonnet 4.5